- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 26 Jan 2022 05:52:48 +0000
- To: public-webauthn@w3.org
@arshadnoor Noone is trying to force synced keys on anyone, but the reality is that they have always been possible, and are likely to become more common as WebAuthn adoption increases. When WebAuthn L1 was published in March 2019, nothing was stopping you from building a browser with a software authenticator with cloud sync, or an Arduino USB device that speaks CTAP1 and lets you import and export key material. If an RP wanted to forbid such authenticators, it had to require authenticator attestation and enforce an attestation allow-list. This was true then and it will be true tomorrow - RPs may do extra work to place restrictions, but if they don't, users are free to choose an authenticator with the features they want. This goes the other way too: the user is also free to choose a hardware authenticator from which key material cannot be extracted, and nothing will change for existing or future authenticators that choose this path. This working group cannot speak for what the FIDO Alliance will decide for their certifications. > Will all those people who have invested in web/mobile applications never have to change their web/mobile apps when Level-3 is standardized if they do not wish to support synchronized key-pairs/credentials? If they are already enforcing an attestation allow-list, then indeed nothing will change. If they are not, then [as noted above](https://github.com/w3c/webauthn/issues/1691#issuecomment-1020147077), they have based their implementation on assumptions that have always been incorrect. RPs don't need to do anything to support synced keys, but the effort required to _not_ support them is not new. --- @cyberphone Please stay on the issue topic, web payments are unrelated to this. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021889160 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 January 2022 05:52:50 UTC